[Date Prev][Date Next]
Re: (ITS#5472) ldap_get_values() should handle paged results from LDAP/AD
On Apr 16, 2008, at 7:58 AM, email@example.com wrote:
> Full_Name: Petter Reinholdtsen
> Version: 2.1.30
> OS: Debian GNU/Linux Etch
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (2001:700:100:6:213:72ff:fe93:c639)
> I ran into this problem when trying to use nss-ldapd with LDAP
> from an Microsoft Active Directory server. The problem only appear
> if there
> are more than 1500 members in a group. When there are fewer than
> 1500 members,
> the result from the LDAP server look like this:
> member: CN=user1,OU=Elever,OU=ULS,OU=VG,OU=Skoler,DC=SKOLEN,DC=LOCAL
> member: CN=user2,OU=Ansatte,OU=ULS,OU=VG,OU=Skoler,DC=SKOLEN,DC=LOCAL
> This is properly handled by ldap_get_values(), and the nss-ldapd
> module work
> properly. For groups with more than 1500 members, the result from
> the LDAP
> look like this:
> This notation is not handled by ldap_get_values(), and it return
> NULL, resulting
> a group with zero members.
This is proper and well-intended behavior. You asked for values of
returned under the attribute description "member", not the (invalid)
attribute description "member;range=0-1499". Two attribute
descriptions which share the same attribute type do not necessarily
refer to the same attribute.
> Is there a way to parse such "paged" attributes
> the openldap library, and could ldag_get_values() be changed to
> handle these?
> Is the range= notation legal LDAP notation?
No. Attribute description options cannot contain equal signs. See
> I have been unable to find
> about this in any RFC, but our resident LDAP expert mentioned that
> it could be
> according to some extention specification.
Microsoft might offers some specification for this crap. But I note
that it's an improper extension as extensions should be truly optional
(per RFC 4521 and common sense).
> Have not been able to find
> about it.
> To get the rest of the members I have to ask for attribute
> repeat this until the result show for example 'range=6000-*' to
> indicate that
> this is the last batch of members.
If you want to implement this crap, you can do so without additional
support from LDAP API. Use ldap_first/next_attribute API.